4 EdgeRouter OpenVPN Server Configuration

The PKI was previously created with the easy-rsa batch scripts and the C:\OpenVPN-Server-Client-Build\easy-rsa\keys> folder now has the various CA, server and client certificates and keys:

OpenVPN Easy RSA – Keys Folder Content CA TA Server and Clients

4.a Copy Server Certificates and Keys to EdgeRouter

Subfolders are created for the EdgeRouter files and each VPN client (e.g. Bob_iPhone, Bob_Laptop) to organize your work. Create a subfolder (C:\OpenVPN-Server-Client-Build\easy-rsa\keys\EdgeRouter>) and copy the files:

Note: You can download the certs and keys used in this tutorial at the above links to see what a working setup looks like. Do not use these on your system to avoid a severe security risk and getting hacked due to this public disclosure. I tore down and recreated my PKI after writing this tutorial so there’s no risk to me sharing the files. The files have a .txt extension added for viewing in a web browser.

Run the bitvise SSH client (or your favorite SSH/SFTP app) and copy the files from the Admin Desktop PC (C:\OpenVPN-Server-Client-Build\easy-rsa\keys\EdgeRouter\) to /config/auth/ on the EdgeRouter:

Configure OpenVPN – Copy Certificate and Keys to Ubiquiti EdgeRouter

Log into the EdgeRouter CLI via SSH and change the file permissions to Read & Write (chmod 600) only by the file owner, i.e. you as the root user because no one else needs access. The ta.key TLS Authorization Pre-Shared Key and server.key Private Encryption Key files must be kept private:

dos2unix format conversion

Because I created the PKI infrastructure on a Windows 10 PC with the Easy-RSA 2.0 scripts, the certificate and key files are in DOS format, where each line break has a carriage return & line feed (“\r\n”). The EdgeRouter is a Linux-based system running Debian and expects only a line feed character (“\n”).

DOS format certs and keys will generate a cryptic error when you “commit” after running the “set interfaces openvpn” commands:

Some parameters in the following commands must be changed to match your particular EdgeRouter network, e.g. name server IP address and subnets. See Ubiquiti EdgeRouter Lite SOHO Network Design for my network specifications to better understand how it’s mapped the OpenVPN configuration.

Log into the EdgeRouter via SSH and enter configuration mode. User inputs are highlighted in green.

openvpn vtun0 server name-server 10.10.0.1 The LAN IP of my EdgeRouter is 10.10.0.1 and it’s the DNS Name Server for the LAN. Change the IP match your router.

The following specifies the routes to be pushed to all clients, which are the LAN/VLAN subnets that VPN clients can reach. 10.10.0.0/24 is the EdgeRouter management VLAN1 so I can login to the EdgeRouter over the VPN, 10.10.1.0/24 is the security camera VLAN10 and 10.10.5.0/24 is VLAN50 for IoT (my home automation controller). VLANs and LAN subnets not listed here cannot be accessed over the VPN. Refer to my home network diagram for details: openvpn vtun0 server push-route 10.10.0.0/24 openvpn vtun0 server push-route 10.10.1.0/24openvpn vtun0 server push-route 10.10.5.0/24

DNS Forwarding vtun0

Enable DNS forwarding for VPN connections. This is necessary to resolve internal hosts and Internet domains:

configure
set service dns forwarding listen-on vtun0
commit
save

OpenVPN Firewall Rules

Firewall rules need to be defined to allow OpenVPN traffic on port 443. The general rules are shown below for context. Eth0 is connected to the cable modem for Internet access. I put OpenVPN last in the rule order since it’s a minority of traffic on my network. Change the rule # to match your firewall:

Reset the OpenVPN interface. All client connections will be dropped and should quickly reconnect:

Bob@ubnt:~$ reset openvpn interface vtun0This will reset and re-establish all tunnel connections on this interface.Are you sure you want to continue? (y/n) [y]yTunnel connections for interface vtun0 have been reset.

Share this:

22 Comments

I have been working on my setup when time permits. I realize a couple of lines are duplicated in another comment I made, but I wanted to post my settings that worked in the correct area this time. I have made some additions to my setup:

Hi, I’ve not noticed any performance issues on my OpenVPN connections. Mostly because I have 300Mbps down & 30Mpbs up at home which is way faster than the remote Internet connections I use to connect remotely. I’ll try your settings and run speed tests.

> Server settings which increased my vpn throughput, but I don’t know why: The OpenVPN MAN page details the various settings. For sndbuf & rcvbuf it “Set[s] the TCP/UDP socket send [receive] buffer size. Currently defaults to 65536 bytes.” The Speed up OpenVPN and get faster speed over its channel tutorial explains that setting the buffers to zero (0) let’s the Operating System determine the best buffer size. Seems to be an issue for Windows clients connecting to a Linux server (the EdgeRouter runs Debian).

> Drop root privileges after openvpn initializes: That is a best practice. Because I’m the EdgeRouter Admin and no one else has remote access accounts I didn’t bother. For a business environment you should lock it down.

I have a new Ubiquiti EdgeRouter 4 (EdgeOS v1.10.5) and I found everything to be spot on except one major nod to TLS. The version of OpenVPN on the router apparently is insufficient to use –tls-cipher DHE-RSA-AES256-SHA. When connecting via my iPhone (iOS 11.4.1) I had to drop this to let it settle on SHA1 to make it work.

I figured something was up because my Windows 10 PC could connect but not my iPhone. It took an obscene amount of reading to really grasp the problem though, so thanks to all who write these walkthroughs!

“Note the EdgeRouter OpenVPN and OpenSSL versions are much older compared to the Windows 10 and Apple iOS clients. The outdated EdgeRouter OpenVPN v2.3.2 doesn’t support TLS v1.2 and stronger ciphers such as TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 nor the Elliptic Curve suites.”

Having trouble when issuing the commit command to establish the vtun0 interface. I get the following error message:

OpenVPN configuration error: Failed to start OpenVPN tunnel.

Any advice on troubleshooting would be appreciated. I believe I was meticulous in following the instructions to establish the keys and convert from dos2unix. Copy and pasted all the “set interface commands” with adjustment to the ip addresses to my network configuration. Not sure what else I could have done wrong.

Via trial and error I conquered. I got myself into trouble by using your tutorial to modified an earlier failed configuration. I started from a blank configuration and found success. I am up and running. The configuration process for the PKI requires meticulous attention and I had to repeat those steps. Your tutorial is great. I am now looking to study the firewall implementation on your vlans to apply to my isolated subnet of IOT devices.

Put this all together, and connected. All traffic going through VPN. However, i cannot ping/access a local machine through the VPN. server { name-server 192.168.1.1 push-route 192.168.1.0/24 subnet 192.168.200.0/24 }

VPN client is provided address 192.168.200.2 i attempt to ping 192.168.1.62 (most interesting machine on the LAN for me) it times out.

The EdgeRouter IP is 192.168.1.1 and you’ve pushed a static route (push-route 192.168.1.0/24) for the router and LAN subnet, so what you have should work. Can you ping the ER interface 192.168.1.1 and log into the web interface?

Are your OpenVPN server and client config parameters the same as mine? Post the content of your server config “openvpn vtun0 { … }” and client config minus the certificates.

Dear Bob, I (think I) followed your tutorial to the letter but when I commit after all of the vtun0 configuration I get the error “OpenVPN configuration error: Specified ca-cert-file “/config/auth/ca.cert” is not valid.

Thank you Bob for your help. I did run dos2unix as per the tutorial instructions. At least it is a very easy check to see if new lines characters are still Windows or if they have been changed successfully to unix style.

So it looks like the problem comes from the next line (set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem ). What gets me confused is that I double checked and server.pem does have linux-style new lines. I do not know what could be wrong.

Thank you for any help you can provide. This tutorial is really helpful.

OK, so for some reason, ca.crt failed when I used dos2unix but worked when I used it straight from windows. The 2 PEM files and server.key however needed to have the dos2unix command run on them, otherwise they would fail. ta.key also appears to have been accepted straight from Windows without the dos2unix command.

So this is one problem fixed but unfortunately I ran into a new problem: OpenVPN configuration error: Failed to start OpenVPN tunnel.

I see some other people ran into that error but could not find any definite solution. Some answers suggest that the edgerouter X might not be powerful enugh to run OpenVPN and this is why it does not work…